The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I make sense of....

Discussion in 'General Discussion' started by lamp, Nov 29, 2004.

  1. lamp

    lamp Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    How can I make sense of my LogWatch logs.... What do all of these unmatched entries mean... Is there any docs out there? or has anyone seen these things before.

    For instance I got the following:

    --------------------- courier-mta Begin ------------------------
    **Unmatched Entries**
    Authenticated user=username domain=domain.com host=localhost [127.0.0.1]:
    25 Time(s)
    Logout user=??? domain=??? host=UNKNOWN: 39 Time(s)
    ---------------------- courier-mta End ------------------------- ------

    --------------------- Kernel Begin ------------------------
    Dropped 3317 packets on interface eth0
    From 24.176.15.169 - 2 packets to tcp(5000)
    From 24.209.115.120 - 1 packet to tcp(5000)
    From 24.239.159.142 - 8 packets to tcp(901,901,901,901,901,901,901,901)
    From 24.254.81.174 - 18 packets to tcp(1025,2745,6129,1025,2745,6129)
    .... Hundreds more... (I guess this is APF working...)
    --------------------- Kernel End ------------------------

    --------------------- Named Begin ------------------------
    **Unmatched Entries**
    client 132.206.27.51 error sending response: host unreachable: 160 Time(s)
    client 132.216.77.249 error sending response: host unreachable: 95 Time(s)
    client 132.216.77.250 error sending response: host unreachable: 142 Time(s)
    client 68.6.16.28 error sending response: host unreachable: 1 Time(s)
    ---------------------- Named End ------------------------


    --------------------- proftpd-messages Begin ------------------------
    **Unmatched Entries**
    matrix.aladin.ca (127.0.0.1[127.0.0.1]) - FTP login timed out, disconnected
    matrix.aladin.ca (127.0.0.1[127.0.0.1]) - FTP login timed out, disconnected
    ... Hundreds more ...
    --------------------- proftpd-messages End ------------------------


    Thanks (as always)

    Lamp
     
  2. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i have simar - and would like to know what they all mean - can someone please advise
     
  3. picoyak

    picoyak Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Far as I can figure...

    Reporting for logwatch is processed via scripts located at /etc/log.d/scripts/services/. When logwatch runs, it process your log files with these scripts and looks for criteria that will match output descriptions.

    For instance, if logwatch was looking through /var/log/messages, then it's looking for things such as 'Connection Refused' or 'Timeout From'. Stuff like that. For each service that logwatch processes, it will look for all messages pertaining to that service.

    So let's say logwatch is processing sshd messages out of /var/log/messages and running them through the script /etc/log.d/scripts/services/sshd. It'll hunt down everything related to sshd in /var/log/messages and process it, then create an output section of the logwatch message based on the rules in that script. Now if there are items in /var/log/messages that have no description defined in the sshd script then those are reported as Unmatched Entries. They may be things you want to look closer at, or they may be things that you want to add a custom filter in for logwatch to parse or not report at all.

    Personally I haven't bothered with customizing logwatch output or filtering. Dunno whether that's good or bad. I'd love to hear other opinions on that myself :)
     

Share This Page